Prinz Eugen “leaves no ransom note on the system,” a deliberate choice that Threatdown’s researchers say is intended to reduce forensic artifacts and push ransom communications off-device.
Stolen RDP credentials, RemotePC, and the payload 'servertool.exe'
Threatdown, Malwarebytes’ enterprise cybersecurity arm, reports that Prinz Eugen intrusions appear to begin with stolen RDP credentials. After access is gained, the attackers manually download and run a main payload named servertool.exe. In the investigated incident researchers observed use of the RemotePC remote monitoring and management (RMM) tool and a backdoor administrator account that provided persistence.
The report characterizes the operation as “hands-on-keyboard,” with human operators using legitimate RMM software and living-off-the-land tools rather than fully automated intrusion chains. That manual approach is consistent with the observed post-access activity: credential-based entry, direct deployment of the encryptor, and the establishment of a persistent backdoor account.
Recent-file prioritization and exhaustive recursion
In an analyzed sample, Prinz Eugen orders its encryption workload to hit recently modified files first. When multiple files share an identical timestamp the code processes them in alphabetical order. Threatdown researchers interpret this ordering as a pressure tactic — targeting files most likely to be business-critical or in active use to increase the victim’s incentive to pay.
The ransomware checks directories recursively with no depth limit and no exclusions, encrypting virtually every file it encounters except those already bearing the .prinzeugen extension (the marker used for encrypted files).
Encryption primitives, chunking, and safety checks
Prinz Eugen’s encryptor is written in Go and uses modern cryptographic primitives. The malware employs ChaCha20-Poly1305 encryption with a 32-byte master key, and it generates a random initialization vector for each file. Key derivation combines Argon2id, SHA-256, and HKDF-SHA256. Files are encrypted in 1 MB chunks, and file integrity is checked using SHA-256.
When executed with a --delete flag, the malware performs an additional check to ensure a file can be decrypted before removing the original copy. To prevent post-incident recovery of encryption keys, the encryptor overwrites the key material with zeroes, forces garbage collection to remove it from memory, and then self-deletes from disk.
Hands-on operators, non-RaaS structure, and out-of-band extortion
Threatdown’s analysis concludes Prinz Eugen is not operating as ransomware-as-a-service (RaaS); the developers are “not currently looking for affiliates.” The actors instead run a hands-on style that minimizes automated artifacts left on infected systems.
Notably, the encryptor contains no routine for dropping a text ransom note or changing the desktop wallpaper. Threatdown researchers say the absence of a ransom note “is a tactic we see more often among organized ransomware groups.” They add: “By moving ransom communications entirely out-of-band (through direct email, phone contact, or dark-web victim portals), the actor reduces forensic artifacts and complicates automated detection of the extortion phase.”
Observed victims, demands, and defensive follow-up
Threatdown identified at least five Prinz Eugen victims. The actor’s public data leak site, however, lists only three victims, indicating not all breaches are visible on the threat actor’s portal. In the case of the Standard Bank breach documented by the researchers, the attacker demanded 1 BTC and the demand was refused.
ThreatDown’s report also supplies indicators of compromise intended to help organizations detect and defend against Prinz Eugen operations.
What this means for security teams, affected enterprises, and procurement leaders
- Security teams: Expect human-operated activity using legitimate RMM tools and credential theft; monitoring for anomalous RMM sessions and rapid, recursive file access on endpoints will be important because the ransomware prioritizes recent files and leaves few on-disk extortion artifacts.
- Affected enterprises: The prioritization of recently modified files increases the potential operational impact; organizations should review credential hygiene for remote access and investigate persistence mechanisms such as backdoor administrator accounts.
- Procurement and IT buyers: The observed use of RemotePC and legitimate RMM underscores the need for tighter controls and vetting around remote management tools and the accounts that can access them.
Prinz Eugen’s combination of targeted, hands-on intrusion, exhaustive recursive encryption, robust cryptography, and out-of-band extortion produces a smaller forensic footprint while raising the operational stakes for victims. The specifics Threatdown publishes — the servertool.exe payload, RemotePC use, the .prinzeigen extension, ChaCha20-Poly1305 with Argon2id/SHA-256/HKDF-SHA256 key derivation, and the --delete safety check — give defenders concrete signatures to hunt for even as the attackers seek to move ransom conversations off-device.
